Skip to main content
River School
Menu

River School · Privacy Policy

Last updated: [DATE OF LAUNCH] Version: 1.0

River School is a homeschool curriculum service. We know family data is sensitive, especially children's data. This policy explains what we collect, why we collect it, who we share it with, and the choices you have.

Plain-English summary upfront:

  • We collect only what we need to teach your child and keep you informed as a parent.
  • We do not sell your family's data. We do not run behavioral ads. Ever.
  • We use Anthropic's Claude to grade open-ended writing, run tutor conversations, and write weekly parent digests. We tell you exactly what goes to Anthropic and when.
  • Your child's written work is kept for 180 days by default. Mastery progress (scores, concepts) is kept as long as your account is active. You can delete everything anytime.
  • Parents control everything: consent, retention settings, whether your child's work is quoted in digests, and account deletion.

The rest of this document spells out the details.

1. Who this policy covers

This policy applies to:

  • The parent or legal guardian who holds the River School account ("you")
  • Any children you have set up as learners under that account ("your child")

2. What we collect

From you, the parent

  • Email address (required — how we reach you)
  • Name (used to personalize account emails)
  • Billing information processed by Stripe (we never see your card number)
  • Your preferences (retention setting, celebrated-quotes toggle, digest cadence, etc.)

From your child

  • First name and grade level (you set this up)
  • A sign-in credential (a short, kid-friendly passcode you help them create — we don't require email for children)
  • Responses to lesson items (typed text, multiple-choice picks, drag-drop arrangements, etc.)
  • If your child uses the optional tutor conversation scaffold: the transcript of that conversation
  • Session metadata (what subject, what lesson, what day, how long, what they got right or wrong)

Automatically, when the service is used

  • Standard web server logs (IP address, browser type, timestamp) — used for security and debugging, kept for no more than 30 days
  • Error reports via Sentry (we scrub personal fields before sending; see §5)

What we do not collect

  • Photos or video of your child
  • Voice recordings (your child's audio is transcribed in the browser and only text is sent to our servers)
  • Location beyond the country/region implied by your IP
  • Behavioral tracking across other websites
  • Cookies or pixels from ad networks

3. How we use data

We use what we collect to:

  1. Run the service — show your child the next lesson, grade their work, track mastery.
  2. Generate your weekly digest — the email-style summary of what your child worked on.
  3. Keep your account secure (detect suspicious sign-ins, rate-limit abuse).
  4. Support you when you email us for help.
  5. Improve the product — in aggregate, de-identified form (see §8).

We do not use your family's data to:

  • Train advertising models
  • Sell to data brokers
  • Profile your child for anything beyond educational purposes within River School

4. When we send data to Anthropic (our AI sub-processor)

River School uses Anthropic's Claude models through Anthropic's API to handle three specific jobs. Everything sent to Anthropic is governed by Anthropic's commercial terms, which (as of this policy's effective date) prohibit Anthropic from using API inputs or outputs to train models.

Here is exactly what gets sent, and when.

4a. Grading open-ended writing

When: your child submits a short-answer or long-response item that needs rubric-based scoring.

Sent to Anthropic:

  • The question stem the child answered
  • The scoring rubric for that item
  • Your child's typed response
  • Sub-concept labels for that lesson

Not sent:

  • Your child's name
  • Your account email
  • Any other child's data

Returned:

  • A numeric score (0-4 scale)
  • A short rationale Claude generates explaining the score

4b. Running tutor conversations

When: your child is stuck on a sub-concept and the optional tutor scaffold activates (or they tap the "Stuck?" button).

Sent to Anthropic:

  • The question stem
  • The sub-concept being practiced
  • Your child's response that triggered the tutor
  • The back-and-forth of the current tutor session (max 4 turns)

Not sent:

  • Your child's name
  • Long-term history from other lessons

Returned:

  • The tutor's next message (short, scaffolded)
  • A signal about whether to continue, let the child retry, or advance

4c. Generating your weekly digest

When: you open the weekly parent digest in your account.

Sent to Anthropic:

  • Your child's first name (so the digest reads naturally)
  • The week's date range
  • Subjects your child worked on, with minutes per subject
  • Sub-concepts mastered that week
  • Sub-concepts still practicing (top 5, by score)
  • Optionally: a short excerpt of your child's writing only if (a) you have the "Share your child's work verbatim" preference turned on, AND (b) your child has not locked that specific response as private

Not sent:

  • Raw response history
  • Tutor transcripts
  • Any data from other children or other families

Returned:

  • The markdown body of the digest
  • A "moment to celebrate" sentence
  • A suggested dinner-table question

We publish this list because we believe families deserve to know exactly what goes to AI systems, not just that "AI is involved."

5. Other services we use to run River School

We rely on a small set of trusted providers. Each one only gets the data it needs to do its job, and each is contractually prohibited from using that data for its own purposes.

Core providers

| Provider | What they do | What they receive | Where they run | |---|---|---|---| | Anthropic (Claude API) | Grading, tutoring, digest generation | Only as described in §4 | US | | Supabase (database + auth) | Stores your account data and your child's work | All data in §2 | US (AWS us-east-2) | | Netlify (hosting + CDN) | Serves the website; edge network | Standard web server request logs: IP, user-agent, path, timestamp. Retained 30 days. | Multi-region, default US | | Stripe (payments) | Processes subscription billing | Your billing email + payment method (card data is captured directly by Stripe, never by us) | US | | Resend (transactional email) | Sends welcome / trial-ending / payment / account-deleted emails | Your email address + the first name you set for your child (for digest greetings only) | US | | Sentry (error monitoring) | Reports app crashes to us so we can fix them | Stack traces + request metadata; email, child name, response text, and other PII fields are scrubbed before sending; kept 90 days | US |

Supplementary providers (only active for specific features)

| Provider | When active | What they receive | |---|---|---| | YouTube (via youtube-nocookie.com) | Only when a lesson includes a YouTube video | Child's IP on iframe load. We use the youtube-nocookie.com privacy-enhanced domain so tracking cookies are not set, and we append rel=0 modestbranding=1 to suppress up-next suggestions. | | Vimeo (player.vimeo.com) | Only when a lesson includes a Vimeo video | Child's IP on iframe load. We append dnt=1 (do-not-track) so Vimeo honours a reduced-tracking posture. |

If we add a new sub-processor, we'll update this list and email active account holders at least 14 days before the change takes effect (see §13).

Typography

River School uses three typefaces — Fraunces, Inter, and JetBrains Mono. They are served from our own origin (optimized + self-hosted at build time via the Next.js font pipeline); your browser does NOT make a runtime request to Google Fonts or any other third-party font CDN. No IP addresses are transmitted to font providers.

Cookies and browser storage

  • rs_child_session — our own short-lived session cookie for a child signed in on a device. HttpOnly, Secure, SameSite=Lax, 8-hour lifetime. Cleared when the child signs out.
  • sb-* — Supabase auth cookies for parent login. HttpOnly, Secure, SameSite=Lax. Set by our database provider; removed on sign-out.
  • No third-party analytics cookies. No advertising cookies. No tracking pixels. No localStorage or sessionStorage is used to persist identifying data.

6. How long we keep data (retention)

This is important, so we'll be specific.

| What | Default retention | Can you change it? | |---|---|---| | Your child's raw written responses | 180 days, rolling | Yes — 30 to 365 days, set in account settings* | | Tutor conversation transcripts | 180 days, rolling | Yes — same tier as responses* | | Session events (what lesson, when, for how long) | 180 days, rolling | Yes — same tier* | | Mastery state (scores, mastered concepts, progress) | While your account is active, plus 30 days after cancellation | No — this is the derived record of your child's learning | | Account info (email, name, preferences) | While your account is active, plus 30 days after cancellation | Managed via account deletion | | Server logs with IP address | 30 days | No | | Error reports | 90 days | No | | Billing records | As required by tax law (generally 7 years) | No |

*The parent-adjustable retention control ships in v1.1. At launch, the default is 180 days.

Once a response passes its retention window, we permanently delete it from our systems. If that response was quoted in a past parent digest, the digest preserves only a placeholder referencing the deletion.

A note on backups. Our database provider takes daily encrypted backups and retains them for up to 30 days for disaster recovery. When you delete your account or a response ages out, we remove it from live systems immediately. The backup copy rolls off on its own schedule — never more than 30 days later. Backups are not queryable without a restore, and we don't restore backups to "recover" deleted data once a deletion is requested.

7. Your rights and controls

As the parent account holder, you can:

  • See what we have — export your child's full activity record in machine-readable form from account settings, or email team@riverschool.app.
  • Delete it — delete your account or just your child's profile anytime from account settings. This deletes raw responses, transcripts, mastery state, and account info within 30 days. Billing records are retained only as tax law requires.
  • Correct it — email us if anything looks wrong.
  • Opt out of quoting your child's work in digests — toggle "Share your child's work verbatim" in account settings. When off, digests paraphrase instead.
  • Set retention — choose how long raw responses and tutor transcripts are kept (v1.1).
  • Move — request an export of your data in a portable format.

Your child, while signed in under your account, can:

  • Mark any specific open-ended response as "Just for you" using a lock icon next to that response. Locked responses never appear as a verbatim quote in digests, regardless of the parent-level setting. Lock state doesn't affect grading or mastery tracking.

8. Improving the product using de-identified data

We learn from aggregate patterns — which concepts are hardest, where the tutor helps most, which lessons time out. For that kind of work, we use data that has been stripped of names, emails, child IDs, and anything that could identify a family.

We do not use identifiable child writing to train River School's internal models or to improve third-party models.

9. COPPA and verifiable parental consent

River School is intended for households where a parent or legal guardian is actively setting up and supervising the service. We comply with the U.S. Children's Online Privacy Protection Act (COPPA).

How we verify parental consent (COPPA §312.5(b)) — we use a layered approach depending on what stage of setup you're in:

  1. At signup — you affirmatively check two separate boxes: "I am 18 years of age or older and the parent or legal guardian of every child I add to this account," and "I agree to the Terms of Service and Privacy Policy." This creates the initial record.
  2. Email verification — we send a confirmation email to the address you provided. Clicking the link activates your account. A child cannot complete this step without access to the parent's email inbox.
  3. Payment on file (when subscription starts) — COPPA §312.5(b)(2)(ii) recognizes a credit/debit card charge attributed to the parent as verifiable parental consent. When you start a trial or subscription, the payment-method attribution strengthens our consent record. Until you reach that step, free-tier features that touch child-authored data are limited.

We record each of these events with timestamp + version of the Terms and Privacy Policy you accepted. If either document changes materially, we'll email you and ask you to re-affirm before the changes take effect (see §13).

  • Children under 13 do not have independent accounts. They use a child profile under your account, with a kid-friendly passcode you help them create.
  • We do not disclose a child's personal information to third parties for anything other than running the service, and never for advertising.
  • You can review, delete, or refuse further collection of your child's data anytime from account settings or by emailing team@riverschool.app.
  • We do not condition a child's use of River School on them giving us more information than is reasonably necessary.

10. FERPA

River School is a consumer service for homeschool families, not a school system. FERPA applies to institutions receiving federal education funding; we are not one. That said, we treat your child's education records with the care FERPA describes — confidentiality, parent access, correction rights — and we consider the spirit of FERPA a floor, not a ceiling.

11. Security

We take security seriously:

  • All data in transit is encrypted with TLS.
  • All data at rest in our database is encrypted.
  • Access to production data is limited to a small number of named engineers and is logged.
  • We use row-level security so that one family's data can never be read by another family's account.
  • We scan for vulnerabilities and patch promptly.
  • Payments are handled entirely by Stripe; we never touch your card number.

No system is perfect. If we become aware of a data breach that affects your family, we'll notify you promptly — within 72 hours of our awareness for material incidents, and always with what happened, what data was involved, and what we're doing about it.

12. Where your data is stored

River School stores data in the United States. If you access the service from outside the US, your data is transferred to the US to be processed. We rely on the standard contractual clauses and equivalent safeguards for any international transfers.

13. Changes to this policy

When we change this policy in a way that materially affects what we collect, how we use it, or who we share it with, we'll email active account holders and post the updated version here with a new "Last updated" date at least 14 days before the change takes effect.

Minor edits (wording, clarifications, updated contact info) may be made without individual notice, but we'll always update the "Last updated" date.

14. Contact us

  • Privacy questions, access, correction, deletion: team@riverschool.app
  • General support: team@riverschool.app
  • Postal mail: [MAILING ADDRESS]

We answer privacy emails within 5 business days.

Privacy Policy version 1.0 · effective [DATE OF LAUNCH]